Can I use third-party collaboration tools that collect personal information in Utah? What are the requirements?

To use third-party collaboration tools that collect personal information in Utah, you must comply with the state’s regulations on the use of Personally Identifiable Information (PII) ^[2.1]. According to UTAC R895-8-6, any PII provided to a state website shall be used solely by the state, its entities, and third-party agents with whom it has contracted to perform a state function on its behalf, unless superseded by a federal statute, federal regulation, or state statute ^[2.1]. Therefore, if you are a third-party agent contracted by the state to perform a state function, you may use PII collected through collaboration tools.

If you are not a contracted third-party agent, you may only use PII to the extent required by the superseding federal statute, federal regulation, or state statute ^[2.1]. Additionally, any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business ^[3.1]. The destruction of records containing personal information that are not to be retained by the person shall be by shredding, erasing, or otherwise modifying the personal information to make the information indecipherable ^[3.1].

If you become aware of a breach of system security that includes personal information concerning a Utah resident, you must conduct a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes ^[3.2]. If the investigation reveals that the misuse of personal information for identity theft or fraud purposes has occurred or is reasonably likely to occur, you must provide notification to each affected Utah resident in the most expedient time possible without unreasonable delay ^[3.2].

Therefore, to use third-party collaboration tools that collect personal information in Utah, you must comply with the state’s regulations on the use of PII. You must also implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business. If you become aware of a breach of system security that includes personal information concerning a Utah resident, you must conduct a reasonable and prompt investigation and provide notification to each affected Utah resident.

Source(s):

• [2.1] Use of Personally Identifiable Information.
• [3.1] Protection of personal information. (Effective 5/14/2019)
• [3.2] Personal information – Disclosure of system security breach. (Effective 5/14/2019)

Jurisdiction

Utah

• Privacy